Number Theory Number Theory is the study of integers and their - - PDF document

Number Theory

Number Theory is the study of integers and their resulting structures. Why study it?

1 History: the first true algortihms were number-theoretic. 2 Analysis: We’ll learn about new kinds of running times and analyses. 3 Cryptography! Modern cryptosystems rely heavily on this stuff. 4 Computers are always dealing with integers anyway! CS 355 (USNA) Unit 3 Spring 2012 1 / 30

How big is an integer?

The measure of difficulty for array-based problems was always the size of the array. What should it be for an algorithm that takes an ineger n?

CS 355 (USNA) Unit 3 Spring 2012 2 / 30

Factorization

Classic number theory question: What is the prime factorization of an integer n? Recall: A prime number is divisible only by 1 and itself. Every integer > 1 is either prime or composite. Every integer has a unique prime factorization. It suffices to compute a single prime factor of n.

CS 355 (USNA) Unit 3 Spring 2012 3 / 30

leastPrimeFactor

Input: Positive integer n Output: The smallest prime p that divides n, or "PRIME"

1

i := 2

2

while i*i <= n do

3

i f i divides n then return i

4

i := i + 1

5

return "PRIME"

CS 355 (USNA) Unit 3 Spring 2012 4 / 30

Polynomial Time

The actual running time, in terms of the size s ∈ Θ(log n) of n, is Θ(2s/2).

Definition

An algorithm runs in polynomial time if its worst-case cost is O(nc) for some constant c. Why do we care? The following is sort of an algorithmic “Moore’s Law”:

Cobham-Edmonds Thesis

An algorithm for a computational problem can be feasibly solved on a computer only if it is polynomial time. So our integer factorization algorithm is actually really slow!

CS 355 (USNA) Unit 3 Spring 2012 5 / 30

Modular Arithmetic

Division with Remainder

For any integers a and m with m > 0, there exist integers q and r with 0 ≤ r < m such that a = qm + r. We write a mod m = r. Modular arithmetic means doing all computations ”mod m”.

CS 355 (USNA) Unit 3 Spring 2012 6 / 30

Addition mod 15

+ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2 2 3 4 5 6 7 8 9 10 11 12 13 14 1 3 3 4 5 6 7 8 9 10 11 12 13 14 1 2 4 4 5 6 7 8 9 10 11 12 13 14 1 2 3 5 5 6 7 8 9 10 11 12 13 14 1 2 3 4 6 6 7 8 9 10 11 12 13 14 1 2 3 4 5 7 7 8 9 10 11 12 13 14 1 2 3 4 5 6 8 8 9 10 11 12 13 14 1 2 3 4 5 6 7 9 9 10 11 12 13 14 1 2 3 4 5 6 7 8 10 10 11 12 13 14 1 2 3 4 5 6 7 8 9 11 11 12 13 14 1 2 3 4 5 6 7 8 9 10 12 12 13 14 1 2 3 4 5 6 7 8 9 10 11 13 13 14 1 2 3 4 5 6 7 8 9 10 11 12 14 14 1 2 3 4 5 6 7 8 9 10 11 12 13

CS 355 (USNA) Unit 3 Spring 2012 7 / 30

Modular Addition

This theorem is the key for efficient computation:

Theorem

For any integers a, b, m with m > 0, (a + b) mod m = (a mod m) + (b mod m) mod m Subtraction can be defined in terms of addition: a − b is just a + (−b) −b is the number that adds to b to give 0 mod m For 0 < b < m, −b mod m = m − b

CS 355 (USNA) Unit 3 Spring 2012 8 / 30

Multiplication mod 15

× 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2 2 4 6 8 10 12 14 1 3 5 7 9 11 13 3 3 6 9 12 3 6 9 12 3 6 9 12 4 4 8 12 1 5 9 13 2 6 10 14 3 7 11 5 5 10 5 10 5 10 5 10 5 10 6 6 12 3 9 6 12 3 9 6 12 3 9 7 7 14 6 13 5 12 4 11 3 10 2 9 1 8 8 8 1 9 2 10 3 11 4 12 5 13 6 14 7 9 9 3 12 6 9 3 12 6 9 3 12 6 10 10 5 10 5 10 5 10 5 10 5 11 11 7 3 14 10 6 2 13 9 5 1 12 8 4 12 12 9 6 3 12 9 6 3 12 9 6 3 13 13 11 9 7 5 3 1 14 12 10 8 6 4 2 14 14 13 12 11 10 9 8 7 6 5 4 3 2 1

CS 355 (USNA) Unit 3 Spring 2012 9 / 30

Modular Multiplication

There’s a similar (and similarly useful!) theorem to addition:

Theorem

For any integers a, b, m with m > 0, (ab) mod m = (a mod m)(b mod m) mod m What about modular division? We can view division as multiplication: a/b = a · b−1. b−1 is the number that multiplies with b to give 1 mod m Does the reciprocal (multiplicative inverse) always exist?

CS 355 (USNA) Unit 3 Spring 2012 10 / 30

Modular Inverses

Look back at the table for multiplication mod 15. A number has an inverse if there is a 1 in its row or column.

CS 355 (USNA) Unit 3 Spring 2012 11 / 30

Multiplication mod 13

× 1 2 3 4 5 6 7 8 9 10 11 12 1 1 2 3 4 5 6 7 8 9 10 11 12 2 2 4 6 8 10 12 1 3 5 7 9 11 3 3 6 9 12 2 5 8 11 1 4 7 10 4 4 8 12 3 7 11 2 6 10 1 5 9 5 5 10 2 7 12 4 9 1 6 11 3 8 6 6 12 5 11 4 10 3 9 2 8 1 7 7 7 1 8 2 9 3 10 4 11 5 12 6 8 8 3 11 6 1 9 4 12 7 2 10 5 9 9 5 1 10 6 2 11 7 3 12 8 4 10 10 7 4 1 11 8 5 2 12 9 6 3 11 11 9 7 5 3 1 12 10 8 6 4 2 12 12 11 10 9 8 7 6 5 4 3 2 1

See all the inverses?

CS 355 (USNA) Unit 3 Spring 2012 12 / 30

Totient function

This function has a first name; it’s Euler.

Definition

The Euler totient function, written ϕ(n), is the number of integers less than n that don’t have any common factors with n. Of course, this is also the number of invertible integers mod n. When n is prime, ϕ(n) = n − 1. What about ϕ(15)?

CS 355 (USNA) Unit 3 Spring 2012 13 / 30

Modular Exponentiation

This is the most important operation for cryptography! Example: Compute 32013 mod 5.

CS 355 (USNA) Unit 3 Spring 2012 14 / 30

Computing GCD’s

The greatest common divisor (GCD) of two integers is the largest number which divides them both evenly. Euclid’s algorithm (c. 300 B.C.!) finds it:

GCD (Euclidean algorithm)

Input: Integers a and b Output: g, the gcd of a and b

1

i f b = 0 then return a

2

e l s e return GCD(b, a mod b) Correctness relies on two facts: gcd(a, 0) = a gcd(a, b) = gcd(b, a mod b)

CS 355 (USNA) Unit 3 Spring 2012 15 / 30

Analysis of Euclidean Algorithm

CS 355 (USNA) Unit 3 Spring 2012 16 / 30

Worst-case of Euclidean Algorithm

Definition

The Fibonacci numbers are defined recursively by: f0 = 0 f1 = 1 fn = fn−2 + fn−1 for n ≥ 2 The worst-case of Euclid’s algorithm is computing gcd(fn, fn−1).

CS 355 (USNA) Unit 3 Spring 2012 17 / 30

Extended Euclidean Algorithm

Computing gcd(a, m) tells us whether a−1 mod m exists. This algorithm computes it:

Extended Euclidean Algorithm

Input: Integers a and b Output: Integers g, s, and t such that g = GCD(a,b) and as + bt = g.

1

i f b = 0 then return (a, 1, 0)

2

e l s e

3

(q, r) := DivisionWithRemainder (a,b)

4

(g, s0 , t0) := XGCD(b, r)

5

return (g, t0 , s0 - t0*q)

6

end i f Notice: bt = g mod a. So if the gcd is 1, this finds the multiplicative inverse!

CS 355 (USNA) Unit 3 Spring 2012 18 / 30

Cryptography

Basic setup:

1 Alice has a message M that she wants to send to Bob. 2 She encrypts M into another message E which is gibberish to anyone

except Bob, and sends E to Bob.

3 Bob decrypts E to get back the original message M from Alice.

Generally, M and E are just big numbers of a fixed size. So the full message must be encoded into bits, then split into blocks which are encrypted separately.

A B C D E F G H I J K L M 1 2 3 4 5 6 7 8 9 10 11 12 N O P Q R S T U V W X Y Z 13 14 15 16 17 18 19 20 21 22 23 24 25

CS 355 (USNA) Unit 3 Spring 2012 19 / 30

Example of blocking

message = (261, 400) 400 0110010000 10000 16 P 01100 12 L 261 0100000101 00101 5 E 01000 8 H

CS 355 (USNA) Unit 3 Spring 2012 20 / 30

Public Key Encryption

Traditionally, cryptography required Alice and Bob to have a pre-shared key, secret to only them. Along came the internet, and suddenly we want to communicate with people/businesses/sites we haven’t met before. The solution is public-key cryptography:

1 Bob has two keys: a public key and a private key 2 The public key is used for encryption and is published publicly 3 The private key is used for decryption and is a secret only Bob knows. CS 355 (USNA) Unit 3 Spring 2012 21 / 30

RSA

RSA public key: A pair of integers (e, n) RSA private key: A pair of integers (d, n) The n’s are the same!

RSA Encryption

The message M should satisfy 2 ≤ M < n E = Me mod n

RSA Decryption

M = E d mod n

CS 355 (USNA) Unit 3 Spring 2012 22 / 30

RSA Example

Alice wants to send the message “HELP” to Bob. Bob’s public key: (e, n) = (37, 8633) Bob’s private key: (d, n) = (685, 8633)

Encryption

“HELP” → (261, 400) → (261e mod n, 400e mod n) → (5096, 1385)

Decryption

(5096, 1385) → (5096d mod n, 1385d mod n) → (261, 400) → “HELP”

CS 355 (USNA) Unit 3 Spring 2012 23 / 30

RSA Key Generation

We need d, e, n to satisfy (Md)e = M mod n for any M. Solution:

1 Choose 2 big primes p and q such that n = pq has more than k bits

(to encrypt k-bit messages).

2 Choose e such that 2 ≤ e < (p − 1)(q − 1) and

gcd((p − 1)(q − 1), e) = 1.

3 Compute d = e−1 mod n with the Extended GCD algorithm CS 355 (USNA) Unit 3 Spring 2012 24 / 30

RSA Analysis

We want to know how much the following cost: Generating a public/private key pair Encrypting or decrypting with the proper keys Decrypting without the private key What would it take for this to be a secure cryptosystem?

CS 355 (USNA) Unit 3 Spring 2012 25 / 30

Primality Testing

RSA key generation requires computing random primes. Good news: Primes are everywhere! In particular, about 1 in every k integers with k bits is prime. Bad news: Testing for primality seems difficult. We need to be able to do this faster than factorization!

CS 355 (USNA) Unit 3 Spring 2012 26 / 30

Miller-Rabin Test

Input: Positive integer n Output: "PRIME" if n is prime, otherwise "COMPOSITE" (probably)

1

a := random integer in [2..n-2]

2

d := n-1

3

k := 0

4

while d i s even do

5

d := d / 2

6

k := k + 1

7

end while

8

x := a^d mod n

9

i f x^2 mod n = 1 then return "PRIME"

10

f o r r from 1 to k-1 do

11

x := x^2 mod n

12

i f x = 1 then return "COMPOSITE"

13

i f x = n-1 then return "PRIME"

14

end f o r

15

return "COMPOSITE"

CS 355 (USNA) Unit 3 Spring 2012 27 / 30

Cost analysis for k-bit encryption

The main capabilities we need are: Generating random primes Computing XGCDs Modular exponentiation The cost of key generation is O(k4) The cost of encryption and decryption are O(k3).

CS 355 (USNA) Unit 3 Spring 2012 28 / 30

Security of RSA

We need to assert, without proof, that:

1 The only way to decrypt a message is to have the private key (d, n). 2 The only way to get the private key is to first compute ϕ(n). 3 The only way to compute ϕ(n) is to factor n. 4 There is no algorithm for factoring a number that is the product of

two large primes in polynomial-time. If all this is true, then as the key length k grows, the cost of factoring will always outpace the cost of encrypting/decrypting with the proper keys.

CS 355 (USNA) Unit 3 Spring 2012 29 / 30

Summary

We acquired the following number-theoretic tools: Modular arithmetic (addition, multiplication, division, powering) GCDs and XGCDs with the Euclidean algorithm Primality testing (fast) and factorization (slow) All these pieces are used in implementing and analyzing RSA.

CS 355 (USNA) Unit 3 Spring 2012 30 / 30